From: syzbot <syzbot+0ad741797f4565e7e2d2-Pl5Pbv+GP7P466ipTTIvnc23WoclnBCfAL8bYrjMMd8@public.gmane.org>
To: konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
syzkaller-bugs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
Subject: Re: [syzbot] [nilfs?] general protection fault in folio_create_empty_buffers
Date: Fri, 04 Aug 2023 08:41:04 -0700 [thread overview]
Message-ID: <0000000000007f094106021ab951@google.com> (raw)
In-Reply-To: <0000000000002930a705fc32b231-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
syzbot has found a reproducer for the following issue on:
HEAD commit: bdffb18b5dd8 Add linux-next specific files for 20230804
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1625c47da80000
kernel config: https://syzkaller.appspot.com/x/.config?x=4edf5fc5e1e5446f
dashboard link: https://syzkaller.appspot.com/bug?extid=0ad741797f4565e7e2d2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b893bea80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16764a71a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d65b99a07c2/disk-bdffb18b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b9623d8bd2e/vmlinux-bdffb18b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e6c96c97edb/bzImage-bdffb18b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17c4ca724160/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ad741797f4565e7e2d2-Pl5Pbv+GP7P466ipTTIvnc23WoclnBCfAL8bYrjMMd8@public.gmane.org
general protection fault, probably for non-canonical address 0xdffffc000000003a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001d0-0x00000000000001d7]
CPU: 0 PID: 5323 Comm: segctord Not tainted 6.5.0-rc4-next-20230804-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
spin_lock include/linux/spinlock.h:351 [inline]
folio_create_empty_buffers+0xb0/0x470 fs/buffer.c:1657
nilfs_lookup_dirty_data_buffers+0x5a1/0x720 fs/nilfs2/segment.c:730
nilfs_segctor_scan_file+0x1b1/0x6f0 fs/nilfs2/segment.c:1080
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1202 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1529 [inline]
nilfs_segctor_do_construct+0x2f11/0x8bf0 fs/nilfs2/segment.c:2077
nilfs_segctor_construct+0x924/0xb50 fs/nilfs2/segment.c:2411
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2519 [inline]
nilfs_segctor_thread+0x38f/0xe90 fs/nilfs2/segment.c:2602
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 81 48 8d 54 05 00 c7 orl $0xc7000554,-0x73(%rax)
7: 02 f1 add %cl,%dh
9: f1 int1
a: f1 int1
b: f1 int1
c: c7 42 04 04 f3 f3 f3 movl $0xf3f3f304,0x4(%rdx)
13: 65 48 8b 14 25 28 00 mov %gs:0x28,%rdx
1a: 00 00
1c: 48 89 54 24 60 mov %rdx,0x60(%rsp)
21: 31 d2 xor %edx,%edx
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 f8 mov %rdi,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 e3 test %esp,%ebx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com>
To: konishi.ryusuke@gmail.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-nilfs@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [nilfs?] general protection fault in folio_create_empty_buffers
Date: Fri, 04 Aug 2023 08:41:04 -0700 [thread overview]
Message-ID: <0000000000007f094106021ab951@google.com> (raw)
In-Reply-To: <0000000000002930a705fc32b231@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: bdffb18b5dd8 Add linux-next specific files for 20230804
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1625c47da80000
kernel config: https://syzkaller.appspot.com/x/.config?x=4edf5fc5e1e5446f
dashboard link: https://syzkaller.appspot.com/bug?extid=0ad741797f4565e7e2d2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b893bea80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16764a71a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d65b99a07c2/disk-bdffb18b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b9623d8bd2e/vmlinux-bdffb18b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e6c96c97edb/bzImage-bdffb18b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17c4ca724160/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000003a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001d0-0x00000000000001d7]
CPU: 0 PID: 5323 Comm: segctord Not tainted 6.5.0-rc4-next-20230804-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
spin_lock include/linux/spinlock.h:351 [inline]
folio_create_empty_buffers+0xb0/0x470 fs/buffer.c:1657
nilfs_lookup_dirty_data_buffers+0x5a1/0x720 fs/nilfs2/segment.c:730
nilfs_segctor_scan_file+0x1b1/0x6f0 fs/nilfs2/segment.c:1080
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1202 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1529 [inline]
nilfs_segctor_do_construct+0x2f11/0x8bf0 fs/nilfs2/segment.c:2077
nilfs_segctor_construct+0x924/0xb50 fs/nilfs2/segment.c:2411
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2519 [inline]
nilfs_segctor_thread+0x38f/0xe90 fs/nilfs2/segment.c:2602
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 81 48 8d 54 05 00 c7 orl $0xc7000554,-0x73(%rax)
7: 02 f1 add %cl,%dh
9: f1 int1
a: f1 int1
b: f1 int1
c: c7 42 04 04 f3 f3 f3 movl $0xf3f3f304,0x4(%rdx)
13: 65 48 8b 14 25 28 00 mov %gs:0x28,%rdx
1a: 00 00
1c: 48 89 54 24 60 mov %rdx,0x60(%rsp)
21: 31 d2 xor %edx,%edx
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 f8 mov %rdi,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 e3 test %esp,%ebx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
next prev parent reply other threads:[~2023-08-04 15:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-21 11:45 [syzbot] [nilfs?] general protection fault in folio_create_empty_buffers syzbot
2023-05-21 11:45 ` syzbot
[not found] ` <0000000000002930a705fc32b231-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2023-08-04 15:41 ` syzbot [this message]
2023-08-04 15:41 ` syzbot
2023-08-05 13:20 ` [PATCH] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Ryusuke Konishi
2023-08-05 13:20 ` Ryusuke Konishi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000007f094106021ab951@google.com \
--to=syzbot+0ad741797f4565e7e2d2-pl5pbv+gp7p466ipttivnc23woclnbcfal8byrjmmd8@public.gmane.org \
--cc=konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=syzkaller-bugs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.